Use --git-dir to avoid issues with CVE-2022-24765 mitigation #708
Conversation
src/setuptools_scm/git.py
Outdated
| def is_dirty(self): | ||
| out, _, _ = self.do_ex("git status --porcelain --untracked-files=no") | ||
| out, _, _ = self.do_ex( | ||
| f"git --git-dir={quote(self._git_dir)} " |
There was a problem hiding this comment.
Let's use the list form here
| @@ -92,6 +94,42 @@ def test_parse_call_order(wd): | |||
| git.parse(str(wd.cwd), git.DEFAULT_DESCRIBE) | |||
|
|
|||
|
|
|||
| @pytest.mark.issue("https://github.com/pypa/setuptools_scm/issues/707") | |||
| def test_not_owner(wd): | |||
There was a problem hiding this comment.
Let's mark this as xfail run=False for now
I almost suggested this! Something like |
|
Thanks for the review @RonnyPfannschmidt. I think these changes have also fixed the issue with the Windows CI in 2e54cc2. |
|
Gentle reminder, this is broken on some systems using newer git until this patch is made. (cibuildwheel should be fine by matching ownership, but multibuild still has mismatched owners). |
Due to this issue: pypa/manylinux#1309 Can likely remove the "pre-build command" once the following is merged and released in setuptools_scm: pypa/setuptools-scm#708 Bumping version of actions/checkout may or may not be necessary Bumping other versions not necessary but why not
|
i just merged this, will be part of the next release |
This is a possible solution to #707 by explicitly passing
--git-dir=$PWD/.git(which bypasses auto-discovery and therefore the vulnerability).I've tried to add a test for this in b8dcd7a. Obviously it has to change ownership to a non-existant user so it needs to use
sudobut I don't particularly like it. I can refactor if you have better ideas or drop the test entirely if you'd prefer.